Security in the age of connected kettles

We need to start demanding more of our government and business leaders in enforcing online security

A few weeks back I gave a presentation to the Australian Seniors Computer Clubs Association as part of Staying Safe Online Week.

The presentation, Security In The Age of Connected Kettles, looked at where we are today with online security and some of the challenges facing individuals, businesses and communities as threats become more pervasive with cloud computing, personal technology and the internet of things while the people creating these risks become more professional.

Overall, it’s not a cheery scenario and I end with a call to action that we have to start insisting business, public sector and political leaders start taking online security seriously as a public safety issue.

Over ten slides we covered where we are today in personal and small business online security and some of the challenges facing individuals as computing moves onto the cloud and smartphones.

The ongoing online safety battle

Online safety is evolving as we move from PCs to tablets and smartphones, today the risks are increasingly appearing on our mobile devices although the desktop computer and email scams remain the biggest risk.

It’s increasingly about the money

A change to the security landscape in recent times has been the rise of professional malware. While a decade ago most of the hacks and viruses we saw were the work of people demonstrating their skills or causing mischief, today there is big money in compromising computers and capturing data.

The rise of ransomware

One of the best examples of the professionalisation of the internet’s bad guy is the rise of ransomware.

Ransomware locks your computer with a demand for payment to release your data; if you don’t pay you lose all your information.

Many of the online threats though are far more subtle; the theft of data from Target, compromises of Sony’s customer databases and ongoing security breaches illustrate how the risks are far greater than just on our desktop.

Smartphone lockups

Ransomware has moved off personal computers onto smartphones with both Android and Apple systems being attacked.
The ‘hacked by Oleg Pliss’ message is a good example of how Apple’s products are just as much at risk as other companies’ platforms.
Also the ‘hacked by Oleg Pliss’ lockup shows how the security aspects of cloud computing services are going to become more important to the average person.

Security basics

The basic advice for the average user remains the same;

  • Strong passwords
  • Don’t use common passwords
  • Be careful what you click on or visit
  • Keep your systems up to date
  • Have good security software

However times are changing and many security issues are out of the average person’s control.

Lessons from Heartbleed

The Heartbleed Open SSL bug illustrated the limits of individuals in protecting their information. As a bug in the secure socket layer software, the Heartbleed Bug could expose sensitive data on websites using the service.

The disappointing thing with Heartbleed is that people following good security policies were vulnerable.

Probably the biggest threat with Heartbleed however is the Internet of Things, where relatively simple devices – the connected kettle – could expose security credentials.

The Target hack

Another example of how security is beyond the control of the individual user is the Target hack. Hackers found their way into the US department store’s network though an airconditioning contractor. From there, they were able to steal millions of customer payment details.

The Target hack is one of dozens of similar coporate security compromises and this will continue until security is taken seriously by company directors and regulators.

A pocket sized security breach

As the Oleg Pliss hack showed, smartphones are not immune to security breaches.

With our phones gathering increasingly more data on our behaviour, protecting the data they gather is going to become one of the biggest challenges facing us.

Rich data

Smartphones are not just gathering location data, as technologies like iBeacons roll out more information is being gathered from more sources.

When we go shopping, attend a football game or visit the doctor these technologies are collecting information on our personal habits and behaviour.

Not a generational issue

One of the myths around security and privacy is that concerns revolve around the generations.

The idea that only older people care about privacy or that younger folk understand technology is a myth.

Unfortunately however our political and business leaders come from a segment of society that doesn’t care about or understand the technology or issues.

If meaningful change is to be made in securing our information, then we’re going to have to demand our business and political leaders take these issues seriously.

Similar posts:

  • No Related Posts

Posting without permissions

Facebook’s groups feature can be dangerous if you don’t check before adding people.

A client of mine once had a angry worker scream at him when she found out he’d posted photographs of all his staff on the company’s website.

“My ex is a psycho, he doesn’t know where I live or work. If he finds this, he might come around here and kill us all,” she cried.

The photos went down immediately and Kevin made sure he got explicit consent before he posted any details of his staff onto the website.

It was a valuable lesson on why you shouldn’t just post people’s details online without first asking them. We all have reasons why we’d like to keep certain facts out of the public light.

A Texan gay choir’s organiser posting the details of members onto Facebook is another reminder of why it’s a bad idea to put someone else’s details online without asking them first.

For two members of the Queer Chorus at the University of Texas, having their sexual orientation pasted on their Facebook feeds caused terrible damage with their families and it should serve as lesson to every manager, business owner or community group leader that this stuff matters.

One of the worrying features with Facebook is how other people can add you to groups without your permission – almost certainly a recipe for misunderstanding and mischief.

What’s even more unforgivable with Facebook’s conduct is the privacy settings for those groups overrides an individual’s own privacy settings.

As one of the victims said in the Wall Street Journal of when his father saw the status update, “I have him hidden from my updates, but he saw this,” she said. “He saw it.”

So even though both the individuals had chosen to lock their profiles away from public view, Facebook and the organiser of the group decided they knew better.

We shouldn’t let the administrator of the Facebook off the hook on this lapse, Christopher Acosta decided to make the group open and public. “I was so gung-ho about the chorus being unashamedly loud and proud,” he’s quoted as saying.

That’s nice when you have a tolerant family and you’re from a liberal community but for others that ‘transparency’ can lead to damaging family relations for years, if not lifetimes. In some communities the consequences could be far worse.

“I do take some responsibility,” says Mr Acosta. Which is a nice way of accepting you might have screwed somebody’s life up by doing something you didn’t understand.

Ultimately responsibility lies with the person who presses the button which causes the email or status post to be published. In this case Christopher Acosta was responsible.

To be fair to Mr Acosta, the ability to add people to Facebook groups without their permission is a deeply flawed as are those groups’ setting overriding an individual’s privacy preferences.

Facebook have to understand there are real life consequences to ‘transparency’ which can ruin careers and even cost the lives of people. The damage to families and communities can be immense.

Coming from a secure upper middle class white background, Mark Zuckerberg probably doesn’t quite understand the risks his company’s policies pose to people in vulnerable situations, hopefully some of his older and wiser advisers will explain why ‘transparency’ and ‘openness’ are not always a good idea.

Similar posts:

Securing your online passwords

On ABC Sydney we look at how you can make your passwords move secure

Every Internet user has to struggle with the burden of passwords as we’re expected to remember dozens of log in details for various websites and computer networks.

As we’re seeing though, passwords aren’t that effective with universities and private companies being hacked on a regular basis. The problem is so bad banks are considering moving to fingerprints to replace PIN and password logins.

Even if passwords are going to become irrelevant as we move to biometric logins like fingerprints and iris scans they aren’t going away quickly, so how do we protect our important online accounts?

Use different passwords

One of the key ways to protect yourself is not to use the same passwords for every site. Some critical sites, like your online banking and email, need protecting with strong passwords while others like social media sites don’t require such tough security.

As we’ve seen with various security breaches, most notably the continual Sony hacks of 2011 and the deeply embarrassing Stratfor leaks, even the strongest passwords are useless if some dill leaves them on an unprotected server.

Use strong passwords

For the sites that matter, make sure the passwords are strong. You’ll find how to make memorable, easy to use and strong passwords on the Netsmarts site.

You don’t need to use strong passwords on every site, for some websites that require registration to access you might want to fall back on the much maligned password or 12345 for those publications.

Change default passwords

Most of the hacks on university and corporate networks happen because the default passwords on servers aren’t changed. This was also how News International workers broke into British mobile phone message banks.  When you get a new phone or tablet computer, make sure you change the basic passwords that have come with the device and any associated service.

Update your systems

One of the biggest vulnerabilities for home and business computer systems is unpatched systems. Malicious websites, viruses and various tricks use known weaknesses in computer systems to bypass security measures. This applies to Apple Mac users as well.

Consider two factor authentication

Two factor authentication involves having double security, this could be a password linked to a SMS or a special one-off code. Services like Gmail offer this as do many corporate networks and banks.

Be careful linking social media services

A bigger risk than hackers is phishing where someone tricks you into giving away your password. This has become very common in hijacking social media accounts.

If you’ve linked various social media services together then one being compromised can mean bad guys have access to all of your accounts, so be cautious about what applications you allow to connect with your Facebook page or Twitter account.

For businesses

Cyber security is critical for business, it’s been estimated that one in six companies who’ve been compromised will fail as a result of the breach and a credit card lapse can be expensive as well as embarrassing.

The Australian government’s Defense Signals Directorate has an excellent guide to securing computer networks. The DSD’s research shows that just following four basic rules will prevent 85% of attacks.

We should also keep in mind no security system is perfect. Just as your car doors or home can be broken into by a determined thief, the same is also true with computer networks, a skilled operator with enough time and resources can beat even the toughest cyber security regime.

Similar posts:

Join Facebook, get expelled

How can schools and parents deal with children wanting to get onto social media

Facebook is problematic for schools. On one hand it’s a great tools for kids to connect with their peers and relatives while it also can amplify problems for children who don’t have the emotional maturity to deal with online issues.

A common aspect of Facebook and many of the other social media services is that the minimum age for sign ups is thirteen years old and the consensus among online safety experts is children younger than that shouldn’t be encouraged to break the rules.

Given the issues involved with younger children using Facebook it’s not surprising that teachers and school principals try to discourage younger children from signing up.

One Queensland school principal has now ordered that any of her students breaching Facebook’s terms by signing up when under 13 will be expelled.

That’s pretty draconian although one can sympathise with the teachers, particularly given many parents allow children to sign up despite knowing they are breaking Facebook’s terms.

How the parents have reacted is interesting too, with online safety expert Susan McLean saying “”You could not print the response to the principal that some of the mothers wrote on Facebook”. None of this is surprising as some see their rights, and those of their children, as being paramount.

Facebook and other social media services are tough for parents as younger kids see their old siblings online and want to be there too. Given many teenagers build their social lives around the service, you can understand the pressure children put on mum and dad to sign them up.

As kids are going to eventually sign up to Facebook, and are probably already on services like Habbo Hotel or Club Penguin, they are going to have to deal with the issues all of us encounter online. So at least if parents are supervising usage, harm can be limited.

One area that seems to be misunderstood is why Facebook has a “no under 13s” policy. It isn’t, as child psychologist Dr Michael Carr-Gregg believes, because Facebook care about emotionally immature children, it is due to the US COPPA law.

COPPA – the Children’s Online Privacy Protection Act – was passed in the late 1990s to prevent inappropriate data being collected on minors. For US based social media services it’s easier to exclude children rather than set up systems that comply with the law.

There’s many good reasons why children should be allowed to use online services, but respecting the terms of conditions of these sites is important too.

While expelling children from school may be taking things too far, it’s not good to be encouraging twelve year old kids to lie about their ages – they’ll be doing that soon enough in their late teens.

Similar posts: